[PATCH] tdfxfb: Fix buffer overrun
authorAntonino A. Daplas <adaplas@gmail.com>
Sat, 11 Mar 2006 11:27:26 +0000 (03:27 -0800)
committerLinus Torvalds <torvalds@g5.osdl.org>
Sat, 11 Mar 2006 17:19:36 +0000 (09:19 -0800)
The pseudo_palette has room only for 16 entries, but tdfxfb_setcolreg may
attempt to write more.

Coverity Bug 557

Signed-off-by: Antonino Daplas <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/video/tdfxfb.c

index 3e7baf4c9fa8066be24cab44fb97e0aafd8fde5a..5e5328d682db52aee991d6b48fa11951395250ba 100644 (file)
@@ -786,28 +786,32 @@ static int tdfxfb_setcolreg(unsigned regno, unsigned red, unsigned green,
        if (regno >= info->cmap.len || regno > 255) return 1;
    
        switch (info->fix.visual) {
-               case FB_VISUAL_PSEUDOCOLOR:
-                       rgbcol =(((u32)red   & 0xff00) << 8) |
-                               (((u32)green & 0xff00) << 0) |
-                               (((u32)blue  & 0xff00) >> 8);
-                       do_setpalentry(par, regno, rgbcol);
-                       break;
-               /* Truecolor has no hardware color palettes. */
-               case FB_VISUAL_TRUECOLOR:
+       case FB_VISUAL_PSEUDOCOLOR:
+               rgbcol =(((u32)red   & 0xff00) << 8) |
+                       (((u32)green & 0xff00) << 0) |
+                       (((u32)blue  & 0xff00) >> 8);
+               do_setpalentry(par, regno, rgbcol);
+               break;
+       /* Truecolor has no hardware color palettes. */
+       case FB_VISUAL_TRUECOLOR:
+               if (regno < 16) {
                        rgbcol = (CNVT_TOHW( red, info->var.red.length) <<
                                  info->var.red.offset) |
-                                (CNVT_TOHW( green, info->var.green.length) <<
-                                 info->var.green.offset) |
-                                (CNVT_TOHW( blue, info->var.blue.length) <<
-                                 info->var.blue.offset) |
-                                (CNVT_TOHW( transp, info->var.transp.length) <<
-                                 info->var.transp.offset);
-                               par->palette[regno] = rgbcol;
-                       break;
-               default:
-                       DPRINTK("bad depth %u\n", info->var.bits_per_pixel);
-                       break;
+                               (CNVT_TOHW( green, info->var.green.length) <<
+                                info->var.green.offset) |
+                               (CNVT_TOHW( blue, info->var.blue.length) <<
+                                info->var.blue.offset) |
+                               (CNVT_TOHW( transp, info->var.transp.length) <<
+                                info->var.transp.offset);
+                       par->palette[regno] = rgbcol;
+               }
+
+               break;
+       default:
+               DPRINTK("bad depth %u\n", info->var.bits_per_pixel);
+               break;
        }
+
        return 0;
 }